The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill contains a hardcoded X (Twitter) bearer token in scripts/constants.ts. It also implements logic to harvest sensitive authentication cookies (auth_token, ct0) from a running Google Chrome instance via the Chrome DevTools Protocol (CDP) or from environment variables. These harvested credentials are stored in a local JSON file (cookies.json) within the user's application data directory for session persistence.
[COMMAND_EXECUTION]: The skill executes shell commands using bun or npx to run its internal TypeScript logic. It also uses the ps aux command on non-Windows systems to identify running browser processes for credential extraction.
[EXTERNAL_DOWNLOADS]: Fetches and saves media assets (images and videos) from X's content delivery networks (pbs.twimg.com and video.twimg.com) to the local disk when the media download option is enabled.
[DATA_EXFILTRATION]: Transmits extracted user authentication tokens to X's internal GraphQL endpoints to retrieve tweet and article data.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from X.
Ingestion points: Fetches raw tweet and article text from the X API (managed in scripts/graphql.ts).
Boundary markers: The untrusted content is formatted directly into the Markdown output without delimiters or warnings to ignore embedded instructions.
Capability inventory: The skill environment allows for command execution (bun), file system writes, and network operations.
Sanitization: While it sanitizes slugs for file path safety, it does not filter or sanitize the body of tweets for malicious instructions that could influence the agent's next steps.

baoyu-danger-x-to-markdown